The European Union’s General Data Protection Regulation (GDPR) may have forced businesses to put more thought into their cybersecurity and data handling processes, but the majority are still vulnerable to leaks.

New research conducted by global security company ESET and computer storage specialists Kingston Technology has revealed that 55% of businesses based in the United Kingdom are failing to encrypt removable devices such as USB pen drives.

Should these devices be lost or stolen, the data stored on the drive would be accessible by anybody that came to be in its possession.

“The survey reveals that companies are still not adequately protected from data leaks as this level of unencrypted devices means anyone can access personal data without security clearances,” Jake Moore, a cybersecurity specialist for ESET, said. “This poses significant security concerns for firms that do not have the processes in place to ensure their data is safe.”

Businesses could fall foul of GDPR

In 2017, Kingston reported how Heathrow Airport’s failure to use encrypted USB devices led to the leak of sensitive information, including information on security timetables, CCTV camera locations, and the measures used to protect the Queen from attack.

While Heathrow Airport was subject to a £120,000 by the Information Commissioner’s Office (ICO) for its “serious” data protection failure, the punishment would have likely been far harsher had it occurred after GDPR was implemented last May.

The ICO now has the power to issue fines of up to €20m or 4% of global annual turnover if a company is found to have inadequately protected private data.

Using unencrypted USB devices is putting businesses at risk of a hefty fine, with 62% of executives quizzed by ESET admitting that they have seen USB devices left in unsecured locations on their premises, such as on desks or in drawers, where they can be easily accessed and taken by other employees or visitors.

“Using encrypted USBs will protect your sensitive data outside of the network firewall. Regardless of this, almost half of British businesses are not encrypting removable devices,” Robert Allen, European Director of Marketing & Technical Services for Kingston Technology, said. “However, encryption promotes and maintains a productive and efficient mobile workforce while complying with GDPR and other data protection regulations.”


Read more: World Password Day: Is it time to do away with the traditional password?